Voluntary Participation in Cyber-insurance Markets

The study of cyber-insurance, both as a method for transferring residual cyber-security risks, and as an incentive mechanism for internalizing the externalities of security investments in interdependent systems, has received considerable attention in the literature. On one hand, it has been shown that competitive insurance markets, even though ensuring user participation, fail to improve the overall network security. On the other hand, existing literature illustrates how a monopolist insurer can induce socially optimal behavior (under a binary decision model). Nevertheless, participation in the latter market is assumed to be mandatory. In this paper, we ask the question of whether socially optimal security investments in an interdependent system can be incentivized through non-compulsory insurance. To do so, we will not consider the competitive market model due to its inefficiencies, and focus instead on the role of a monopolist profitneutral insurer acting as a regulator in implementing the socially optimal investment profile in an interdependent security game. We first propose an insurance design mechanism that allows a continuous decision model. We then study users’ participation incentives under this mechanism. We show that due to the non-excludable nature of security as a public good, there may exist scenarios in which it is impossible to guarantee that users voluntarily purchase insurance. We discuss the implication of this impossibility and possible ways to circumvent it.

[1]  T. Saijo,et al.  Fundamental impossibility theorems on voluntary participation in the provision of non-excludable public goods , 2010 .

[2]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[3]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[4]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[5]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[6]  Sasha Romanosky Comments to the Department of Commerce on Incentives to Adopt Improved Cybersecurity Practices Docket Number 130206115-3115-01 , 2013 .

[7]  Aron Laszka,et al.  A Survey of Interdependent Security Games Working paper , 2012 .

[8]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[9]  Demosthenis Teneketzis,et al.  A game-theoretic approach to decentralized optimal power allocation for cellular networks , 2008, Valuetools 2008.

[10]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[11]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[12]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[13]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[14]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[15]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[16]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[17]  Jean C. Walrand,et al.  How Bad Are Selfish Investments in Network Security? , 2011, IEEE/ACM Transactions on Networking.

[18]  J. Bolot,et al.  Cyber Insurance as an Incentive for IT Security , 2008, WEIS.

[19]  Parinaz Naghizadeh Ardabili,et al.  Closing the price of anarchy gap in the interdependent security game , 2014, 2014 Information Theory and Applications Workshop (ITA).

[20]  L. Hurwicz Outcome Functions Yielding Walrasian and Lindahl Allocations at Nash Equilibrium Points , 1979 .